hazo_auth 0.1.0

package/migrations/001_add_token_type_to_refresh_tokens.sql

@@ -0,0 +1,14 @@
+-- file_description: migration to add token_type column to hazo_refresh_tokens table for password reset functionality
+-- This migration adds a token_type column to distinguish between refresh tokens and password reset tokens
+
+-- Add token_type column with CHECK constraint
+ALTER TABLE hazo_refresh_tokens 
+ADD COLUMN token_type TEXT NOT NULL DEFAULT 'refresh' 
+CHECK (token_type IN ('refresh', 'password_reset', 'email_verification'));
+
+-- Create index on token_type for faster queries
+CREATE INDEX IF NOT EXISTS idx_hazo_refresh_tokens_token_type ON hazo_refresh_tokens(token_type);
+
+-- Create index on token_type and user_id for password reset token lookups
+CREATE INDEX IF NOT EXISTS idx_hazo_refresh_tokens_user_type ON hazo_refresh_tokens(user_id, token_type);
+

package/migrations/002_add_name_to_hazo_users.sql

@@ -0,0 +1,7 @@
+-- file_description: migration to add name column to hazo_users table
+-- This migration adds a name text field to store user's full name
+
+-- Add name column (nullable, as existing users may not have a name)
+ALTER TABLE hazo_users 
+ADD COLUMN name TEXT;
+

package/next.config.mjs

@@ -0,0 +1,55 @@
+// file_description: configure next.js application settings for the ui_component project
+// section: imports
+import path from "path";
+import { fileURLToPath } from "url";
+
+// section: path_resolution
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// section: base_configuration
+const next_config = {
+  /* config options here */
+  // Note: hazo_connect configuration is now read from hazo_auth_config.ini using hazo_config
+  // Environment variables are only used as fallback if hazo_auth_config.ini is not found
+  // See hazo_auth_config.ini for hazo_connect configuration parameters
+  env: {
+    // Environment variables can be set here as fallback, but hazo_auth_config.ini is preferred
+    // HAZO_CONNECT_ENABLE_ADMIN_UI: "true",
+    // HAZO_CONNECT_SQLITE_PATH: path.resolve(__dirname, "__tests__", "fixtures", "hazo_auth.sqlite"),
+  },
+  // Note: serverComponentsExternalPackages is not available in Next.js 14.2
+  // Using webpack externals configuration instead (see webpack section below)
+  // section: webpack_configuration
+  webpack: (config, { isServer }) => {
+    // Exclude sql.js from webpack bundling for API routes
+    // These packages use Node.js module.exports which doesn't work in webpack context
+    if (isServer) {
+      config.externals = config.externals || [];
+      // Add sql.js as external to prevent webpack from bundling it
+      if (Array.isArray(config.externals)) {
+        config.externals.push("sql.js");
+        // Exclude hazo_notify from Edge runtime bundles (middleware)
+        // hazo_notify is only available in Node.js runtime (server bundles), not Edge runtime
+        // This ensures hazo_notify is loaded at runtime for API routes using Node.js runtime
+        config.externals.push("hazo_notify");
+      } else {
+        config.externals = [config.externals, "sql.js", "hazo_notify"];
+      }
+    } else {
+      // Client-side: exclude server-only files from client bundles
+      config.resolve.alias = {
+        ...config.resolve.alias,
+        "@/lib/hazo_connect_setup.server": false,
+        "@/lib/hazo_connect_instance.server": false,
+        "@/lib/login_config.server": false,
+        // Exclude hazo_notify from client bundles
+        "hazo_notify": false,
+      };
+    }
+    return config;
+  },
+};
+
+export default next_config;
+

package/package.json

@@ -0,0 +1,114 @@
+{
+  "name": "hazo_auth",
+  "version": "0.1.0",
+  "files": [
+    "src/**/*",
+    "public/file.svg",
+    "public/globe.svg",
+    "public/next.svg",
+    "public/vercel.svg",
+    "public/window.svg",
+    "hazo_auth_config.example.ini",
+    "hazo_notify_config.example.ini",
+    "README.md",
+    "LICENSE",
+    "tsconfig.json",
+    "tailwind.config.ts",
+    "postcss.config.mjs",
+    "next.config.mjs",
+    "components.json",
+    "instrumentation.ts",
+    "migrations/**/*",
+    "scripts/**/*"
+  ],
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "next lint",
+    "storybook": "storybook dev -p 6006",
+    "build-storybook": "storybook build",
+    "dev:server": "tsx src/server/index.ts",
+    "migrate": "tsx scripts/apply_migration.ts",
+    "test": "cross-env NODE_ENV=test POSTGREST_URL=http://209.38.26.241:4402 POSTGREST_API_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYXBpX3VzZXIifQ.zBoUGymrxTUk1DNYIGUCtQU4HFaWEHlbE9_8Y3hUaTw jest --runInBand",
+    "test:watch": "cross-env NODE_ENV=test POSTGREST_URL=http://209.38.26.241:4402 POSTGREST_API_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYXBpX3VzZXIifQ.zBoUGymrxTUk1DNYIGUCtQU4HFaWEHlbE9_8Y3hUaTw jest --watch"
+  },
+  "dependencies": {
+    "@radix-ui/react-avatar": "^1.1.11",
+    "@radix-ui/react-dialog": "^1.1.15",
+    "@radix-ui/react-label": "^2.1.8",
+    "@radix-ui/react-separator": "^1.1.8",
+    "@radix-ui/react-slot": "^1.2.4",
+    "@radix-ui/react-switch": "^1.2.6",
+    "@radix-ui/react-tabs": "^1.1.13",
+    "@radix-ui/react-tooltip": "^1.2.8",
+    "argon2": "^0.44.0",
+    "axios": "^1.13.2",
+    "browser-image-compression": "^2.0.2",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "compression": "^1.8.1",
+    "cookie-parser": "^1.4.7",
+    "cors": "^2.8.5",
+    "date-fns": "^4.1.0",
+    "express": "^5.1.0",
+    "express-rate-limit": "^8.2.1",
+    "gravatar-url": "^4.0.1",
+    "handlebars": "^4.7.8",
+    "hazo_config": "^1.3.0",
+    "hazo_connect": "^2.0.0",
+    "hazo_notify": "^1.0.0",
+    "helmet": "^8.1.0",
+    "ini": "^6.0.0",
+    "jsonwebtoken": "^9.0.2",
+    "lucide-react": "^0.553.0",
+    "mime-types": "^3.0.1",
+    "morgan": "^1.10.1",
+    "multer": "^2.0.2",
+    "next": "^14.2.7",
+    "next-themes": "^0.4.6",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "^3.4.0",
+    "tailwindcss-animate": "^1.0.7",
+    "zod": "^4.1.12"
+  },
+  "devDependencies": {
+    "@chromatic-com/storybook": "^4.1.2",
+    "@storybook/addon-a11y": "^10.0.6",
+    "@storybook/addon-docs": "^10.0.6",
+    "@storybook/addon-onboarding": "^10.0.6",
+    "@storybook/addon-vitest": "^10.0.6",
+    "@storybook/nextjs": "^10.0.6",
+    "@testing-library/jest-dom": "^6.6.3",
+    "@testing-library/react": "^16.0.1",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/compression": "^1.8.1",
+    "@types/cookie-parser": "^1.4.10",
+    "@types/cors": "^2.8.19",
+    "@types/express": "^5.0.5",
+    "@types/ini": "^4.1.1",
+    "@types/jest": "^30.0.0",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/multer": "^2.0.0",
+    "@types/node": "^20.19.24",
+    "@types/react": "^18",
+    "@types/react-dom": "^18",
+    "better-sqlite3": "^12.4.1",
+    "cross-env": "^10.1.0",
+    "eslint": "^8",
+    "eslint-config-next": "^14.2.7",
+    "eslint-plugin-storybook": "^10.0.6",
+    "jest": "^30.2.0",
+    "jest-environment-jsdom": "^29.7.0",
+    "patch-package": "^8.0.1",
+    "postcss": "^8",
+    "storybook": "^10.0.6",
+    "supertest": "^7.1.4",
+    "tailwindcss": "^3.4.1",
+    "ts-jest": "^29.4.5",
+    "tsx": "^4.20.6",
+    "typescript": "^5"
+  }
+}

package/postcss.config.mjs

@@ -0,0 +1,8 @@
+/** @type {import('postcss-load-config').Config} */
+const config = {
+  plugins: {
+    tailwindcss: {},
+  },
+};
+
+export default config;

package/public/file.svg

@@ -0,0 +1 @@
+<svg fill="none" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"><path d="M14.5 13.5V5.41a1 1 0 0 0-.3-.7L9.8.29A1 1 0 0 0 9.08 0H1.5v13.5A2.5 2.5 0 0 0 4 16h8a2.5 2.5 0 0 0 2.5-2.5m-1.5 0v-7H8v-5H3v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1M9.5 5V2.12L12.38 5zM5.13 5h-.62v1.25h2.12V5zm-.62 3h7.12v1.25H4.5zm.62 3h-.62v1.25h7.12V11z" clip-rule="evenodd" fill="#666" fill-rule="evenodd"/></svg>

package/public/globe.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><g clip-path="url(#a)"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.27 14.1a6.5 6.5 0 0 0 3.67-3.45q-1.24.21-2.7.34-.31 1.83-.97 3.1M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16m.48-1.52a7 7 0 0 1-.96 0H7.5a4 4 0 0 1-.84-1.32q-.38-.89-.63-2.08a40 40 0 0 0 3.92 0q-.25 1.2-.63 2.08a4 4 0 0 1-.84 1.31zm2.94-4.76q1.66-.15 2.95-.43a7 7 0 0 0 0-2.58q-1.3-.27-2.95-.43a18 18 0 0 1 0 3.44m-1.27-3.54a17 17 0 0 1 0 3.64 39 39 0 0 1-4.3 0 17 17 0 0 1 0-3.64 39 39 0 0 1 4.3 0m1.1-1.17q1.45.13 2.69.34a6.5 6.5 0 0 0-3.67-3.44q.65 1.26.98 3.1M8.48 1.5l.01.02q.41.37.84 1.31.38.89.63 2.08a40 40 0 0 0-3.92 0q.25-1.2.63-2.08a4 4 0 0 1 .85-1.32 7 7 0 0 1 .96 0m-2.75.4a6.5 6.5 0 0 0-3.67 3.44 29 29 0 0 1 2.7-.34q.31-1.83.97-3.1M4.58 6.28q-1.66.16-2.95.43a7 7 0 0 0 0 2.58q1.3.27 2.95.43a18 18 0 0 1 0-3.44m.17 4.71q-1.45-.12-2.69-.34a6.5 6.5 0 0 0 3.67 3.44q-.65-1.27-.98-3.1" fill="#666"/></g><defs><clipPath id="a"><path fill="#fff" d="M0 0h16v16H0z"/></clipPath></defs></svg>

package/public/next.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 394 80"><path fill="#000" d="M262 0h68.5v12.7h-27.2v66.6h-13.6V12.7H262V0ZM149 0v12.7H94v20.4h44.3v12.6H94v21h55v12.6H80.5V0h68.7zm34.3 0h-17.8l63.8 79.4h17.9l-32-39.7 32-39.6h-17.9l-23 28.6-23-28.6zm18.3 56.7-9-11-27.1 33.7h17.8l18.3-22.7z"/><path fill="#000" d="M81 79.3 17 0H0v79.3h13.6V17l50.2 62.3H81Zm252.6-.4c-1 0-1.8-.4-2.5-1s-1.1-1.6-1.1-2.6.3-1.8 1-2.5 1.6-1 2.6-1 1.8.3 2.5 1a3.4 3.4 0 0 1 .6 4.3 3.7 3.7 0 0 1-3 1.8zm23.2-33.5h6v23.3c0 2.1-.4 4-1.3 5.5a9.1 9.1 0 0 1-3.8 3.5c-1.6.8-3.5 1.3-5.7 1.3-2 0-3.7-.4-5.3-1s-2.8-1.8-3.7-3.2c-.9-1.3-1.4-3-1.4-5h6c.1.8.3 1.6.7 2.2s1 1.2 1.6 1.5c.7.4 1.5.5 2.4.5 1 0 1.8-.2 2.4-.6a4 4 0 0 0 1.6-1.8c.3-.8.5-1.8.5-3V45.5zm30.9 9.1a4.4 4.4 0 0 0-2-3.3 7.5 7.5 0 0 0-4.3-1.1c-1.3 0-2.4.2-3.3.5-.9.4-1.6 1-2 1.6a3.5 3.5 0 0 0-.3 4c.3.5.7.9 1.3 1.2l1.8 1 2 .5 3.2.8c1.3.3 2.5.7 3.7 1.2a13 13 0 0 1 3.2 1.8 8.1 8.1 0 0 1 3 6.5c0 2-.5 3.7-1.5 5.1a10 10 0 0 1-4.4 3.5c-1.8.8-4.1 1.2-6.8 1.2-2.6 0-4.9-.4-6.8-1.2-2-.8-3.4-2-4.5-3.5a10 10 0 0 1-1.7-5.6h6a5 5 0 0 0 3.5 4.6c1 .4 2.2.6 3.4.6 1.3 0 2.5-.2 3.5-.6 1-.4 1.8-1 2.4-1.7a4 4 0 0 0 .8-2.4c0-.9-.2-1.6-.7-2.2a11 11 0 0 0-2.1-1.4l-3.2-1-3.8-1c-2.8-.7-5-1.7-6.6-3.2a7.2 7.2 0 0 1-2.4-5.7 8 8 0 0 1 1.7-5 10 10 0 0 1 4.3-3.5c2-.8 4-1.2 6.4-1.2 2.3 0 4.4.4 6.2 1.2 1.8.8 3.2 2 4.3 3.4 1 1.4 1.5 3 1.5 5h-5.8z"/></svg>

package/public/vercel.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1155 1000"><path d="m577.3 0 577.4 1000H0z" fill="#fff"/></svg>

package/public/window.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><path fill-rule="evenodd" clip-rule="evenodd" d="M1.5 2.5h13v10a1 1 0 0 1-1 1h-11a1 1 0 0 1-1-1zM0 1h16v11.5a2.5 2.5 0 0 1-2.5 2.5h-11A2.5 2.5 0 0 1 0 12.5zm3.75 4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5M7 4.75a.75.75 0 1 1-1.5 0 .75.75 0 0 1 1.5 0m1.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5" fill="#666"/></svg>

package/scripts/apply_migration.ts

@@ -0,0 +1,118 @@
+// file_description: script to apply database migrations directly to SQLite database
+// Run with: npx tsx scripts/apply_migration.ts
+// section: imports
+import Database from "better-sqlite3";
+import path from "path";
+import fs from "fs";
+
+// section: helpers
+function get_database_path(): string {
+  // Read from hazo_auth_config.ini or use default
+  const config_path = path.resolve(process.cwd(), "hazo_auth_config.ini");
+  let sqlite_path: string | undefined;
+
+  if (fs.existsSync(config_path)) {
+    try {
+      const config_content = fs.readFileSync(config_path, "utf-8");
+      const sqlite_path_match = config_content.match(/sqlite_path\s*=\s*(.+)/);
+      if (sqlite_path_match) {
+        sqlite_path = sqlite_path_match[1].trim();
+      }
+    } catch (error) {
+      console.warn("Could not read hazo_auth_config.ini, using default path");
+    }
+  }
+
+  // Default path if not found in config
+  if (!sqlite_path) {
+    sqlite_path = "__tests__/fixtures/hazo_auth.sqlite";
+  }
+
+  // Resolve to absolute path
+  const resolved_path = path.isAbsolute(sqlite_path)
+    ? sqlite_path
+    : path.resolve(process.cwd(), sqlite_path);
+
+  return path.normalize(resolved_path);
+}
+
+function apply_migration_sql(db: Database.Database, sql: string): void {
+  // Remove comments (lines starting with --)
+  const sql_without_comments = sql
+    .split("\n")
+    .filter((line) => !line.trim().startsWith("--"))
+    .join("\n");
+
+  // Split by semicolon and execute each statement
+  const statements = sql_without_comments
+    .split(";")
+    .map((stmt) => stmt.trim())
+    .filter((stmt) => stmt.length > 0);
+
+  console.log(`Found ${statements.length} SQL statement(s) to execute\n`);
+
+  for (let i = 0; i < statements.length; i++) {
+    const statement = statements[i];
+    try {
+      db.exec(statement + ";");
+      console.log(`✓ [${i + 1}/${statements.length}] Executed:`, statement.substring(0, 100));
+    } catch (error) {
+      // Check if error is because column/index already exists
+      const error_message = error instanceof Error ? error.message : String(error);
+      if (
+        error_message.includes("duplicate column") ||
+        error_message.includes("already exists") ||
+        error_message.includes("UNIQUE constraint failed") ||
+        error_message.includes("index already exists")
+      ) {
+        console.log(`⚠ [${i + 1}/${statements.length}] Already exists, skipping:`, statement.substring(0, 100));
+      } else {
+        console.error(`✗ [${i + 1}/${statements.length}] Error:`, error_message);
+        throw error;
+      }
+    }
+  }
+}
+
+// section: main
+function main() {
+  const db_path = get_database_path();
+
+  console.log("Applying migration to database:", db_path);
+
+  if (!fs.existsSync(db_path)) {
+    console.error("Database file not found:", db_path);
+    process.exit(1);
+  }
+
+  // Get migration file from command line argument or use default
+  const migration_file_arg = process.argv[2];
+  const migration_file = migration_file_arg
+    ? path.resolve(process.cwd(), migration_file_arg)
+    : path.resolve(process.cwd(), "migrations", "002_add_name_to_hazo_users.sql");
+
+  if (!fs.existsSync(migration_file)) {
+    console.error("Migration file not found:", migration_file);
+    console.error("\nUsage: npx tsx scripts/apply_migration.ts [migration_file_path]");
+    process.exit(1);
+  }
+
+  const db = new Database(db_path);
+
+  try {
+    const migration_sql = fs.readFileSync(migration_file, "utf-8");
+
+    console.log(`\nApplying migration: ${path.basename(migration_file)}`);
+    apply_migration_sql(db, migration_sql);
+
+    console.log("\n✓ Migration applied successfully!");
+  } catch (error) {
+    console.error("Error applying migration:", error);
+    process.exit(1);
+  } finally {
+    db.close();
+  }
+}
+
+main();
+

package/src/app/api/auth/change_password/route.ts

@@ -0,0 +1,109 @@
+// file_description: API route for changing user password
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { get_hazo_connect_instance } from "@/lib/hazo_connect_instance.server";
+import { create_app_logger } from "@/lib/app_logger";
+import { change_password } from "@/lib/services/password_change_service";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+import { require_auth } from "@/lib/auth/auth_utils.server";
+
+// section: api_handler
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    // Use centralized auth check
+    let user_id: string;
+    try {
+      const user = await require_auth(request);
+      user_id = user.user_id;
+    } catch (error) {
+      if (error instanceof Error && error.message === "Authentication required") {
+        logger.warn("password_change_authentication_failed", {
+          filename: get_filename(),
+          line_number: get_line_number(),
+          error: "User not authenticated",
+        });
+
+        return NextResponse.json(
+          { error: "Authentication required" },
+          { status: 401 }
+        );
+      }
+      throw error;
+    }
+
+    const body = await request.json();
+    const { current_password, new_password } = body;
+
+    // Validate input
+    if (!current_password || !new_password) {
+      logger.warn("password_change_validation_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        error: "Missing required fields",
+        has_current_password: !!current_password,
+        has_new_password: !!new_password,
+      });
+
+      return NextResponse.json(
+        { error: "Current password and new password are required" },
+        { status: 400 }
+      );
+    }
+
+    // Get singleton hazo_connect instance
+    const hazoConnect = get_hazo_connect_instance();
+
+    // Change password
+    const result = await change_password(hazoConnect, user_id, {
+      current_password,
+      new_password,
+    });
+
+    if (!result.success) {
+      logger.warn("password_change_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        error: result.error,
+        user_id,
+      });
+
+      return NextResponse.json(
+        { error: result.error || "Failed to change password" },
+        { status: 400 }
+      );
+    }
+
+    logger.info("password_change_successful", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      user_id,
+    });
+
+    return NextResponse.json(
+      {
+        success: true,
+        message: "Password changed successfully",
+      },
+      { status: 200 }
+    );
+  } catch (error) {
+    const error_message =
+      error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("password_change_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: "Failed to change password. Please try again." },
+      { status: 500 }
+    );
+  }
+}
+

package/src/app/api/auth/forgot_password/route.ts

@@ -0,0 +1,107 @@
+// file_description: API route for password reset requests using hazo_connect
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { get_hazo_connect_instance } from "@/lib/hazo_connect_instance.server";
+import { create_app_logger } from "@/lib/app_logger";
+import { request_password_reset } from "@/lib/services/password_reset_service";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+
+// section: api_handler
+export async function POST(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    const body = await request.json();
+    const { email } = body;
+
+    // Validate input
+    if (!email) {
+      logger.warn("password_reset_validation_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        email: email || "missing",
+      });
+
+      return NextResponse.json(
+        { error: "Email is required" },
+        { status: 400 }
+      );
+    }
+
+    // Validate email format
+    const email_pattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!email_pattern.test(email)) {
+      logger.warn("password_reset_invalid_email", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        email,
+      });
+
+      return NextResponse.json(
+        { error: "Invalid email address format" },
+        { status: 400 }
+      );
+    }
+
+    // Get singleton hazo_connect instance (reuses same connection across all routes)
+    const hazoConnect = get_hazo_connect_instance();
+
+    // Request password reset using the password reset service
+    const result = await request_password_reset(hazoConnect, {
+      email,
+    });
+
+    if (!result.success) {
+      logger.warn("password_reset_failed", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        email,
+        error: result.error,
+      });
+
+      // Still return 200 OK to prevent email enumeration attacks
+      return NextResponse.json(
+        {
+          success: true,
+          message: "If an account with that email exists, a password reset link has been sent.",
+        },
+        { status: 200 }
+      );
+    }
+
+    logger.info("password_reset_requested", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      email,
+    });
+
+    // Always return success to prevent email enumeration attacks
+    return NextResponse.json(
+      {
+        success: true,
+        message: "If an account with that email exists, a password reset link has been sent.",
+      },
+      { status: 200 }
+    );
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("password_reset_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    // Still return 200 OK to prevent email enumeration attacks
+    return NextResponse.json(
+      {
+        success: true,
+        message: "If an account with that email exists, a password reset link has been sent.",
+      },
+      { status: 200 }
+    );
+  }
+}
+

package/src/app/api/auth/library_photos/route.ts

@@ -0,0 +1,70 @@
+// file_description: API route for listing library photo categories and photos in categories
+// section: imports
+import { NextRequest, NextResponse } from "next/server";
+import { get_library_categories, get_library_photos } from "@/lib/services/profile_picture_service";
+import { create_app_logger } from "@/lib/app_logger";
+import { get_filename, get_line_number } from "@/lib/utils/api_route_helpers";
+
+// section: api_handler
+export async function GET(request: NextRequest) {
+  const logger = create_app_logger();
+
+  try {
+    const { searchParams } = new URL(request.url);
+    const category = searchParams.get("category");
+
+    if (category) {
+      // Return photos in the specified category
+      const photos = get_library_photos(category);
+
+      logger.info("library_photos_category_requested", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        category,
+        photoCount: photos.length,
+      });
+
+      return NextResponse.json(
+        {
+          success: true,
+          category,
+          photos,
+        },
+        { status: 200 }
+      );
+    } else {
+      // Return list of categories
+      const categories = get_library_categories();
+
+      logger.info("library_categories_requested", {
+        filename: get_filename(),
+        line_number: get_line_number(),
+        categoryCount: categories.length,
+      });
+
+      return NextResponse.json(
+        {
+          success: true,
+          categories,
+        },
+        { status: 200 }
+      );
+    }
+  } catch (error) {
+    const error_message = error instanceof Error ? error.message : "Unknown error";
+    const error_stack = error instanceof Error ? error.stack : undefined;
+
+    logger.error("library_photos_error", {
+      filename: get_filename(),
+      line_number: get_line_number(),
+      error_message,
+      error_stack,
+    });
+
+    return NextResponse.json(
+      { error: "Failed to fetch library photos" },
+      { status: 500 }
+    );
+  }
+}
+